The methodology of tests that found IE is tops for blocking a particular type of malware attack have come under fire from Google.
NSS Labs was commissioned by Microsoft to access the ability of browser to block socially engineered malware attack URLs. The exercise focused on the effectiveness of in-built browser technology to …

"open sauce browser"

open sauce browser

Biased much

IE 9 beta: 99%

IE 8: 90%

Firefox 3.6: 19%

Safari 5: 11%

Chrome 6: 3%

This does look suspicious. I freely admit I have never studied the question, and I have no idea what techniques different browsers use, but I have trouble believing the results. Of course, the fact that Microsoft commissioned the study does not help any...

I would also be more interested if I was actually scared of getting malware from a web site, but I feel somewhat safe on my jobsian machine.

Re: Biased much

I think the "we'll publish if we get the right answer" tells you everything you need to know about the study, including (by omission) the rate of false positives in each browser. If IE9 is going to dance up and down for every link that I click, it is going to be like UAC in Vista and we can be sure that IE10 will be scaled back.

However...

... unless things have changed drastically recently, only two of Microsoft's divisions make any profit - Windows and Office. All of the rest are loss-making, hence the various panics over Vista and Office 2008.

And pouring money into keeping the gaming media sweet about Xbox and Kinect ... it's like the kid at school who tries to bribe other kids with sweets and dinner money to make them like him... pathetic really.

They'd be better spending the money on testing their products before they shove them out of the door for mugs to buy. Or paying their fines from the European Court of First Instance for criminal abuse of their near-monopoly on the crapware inluded with new PCs... :-(

Does seem fishy

So NSS were comisisoned by Microsoft and could safely assume that their work wouldn't see the light of day unless favourable to the sponsor - and the results are practically a whole order of magnitude higher for said sponsor's latest product?

Unless NSS share their methodology to allow a fair response this has to be considerde somewhere between 'suspect' and 'a waste of good ASCII' on the sliding scale of corporate guff

and

social engineering

Not much of a problem anyway if you follow a few common sense rules:

> don't use any login prompt that you didn't request to see.

> don't initiate any download that you didn't request

> dont trust any vague/retarded messages; "someone you know called John or Dave or Emma sent you a message because they are trapped in a lift or fell in a frozen lake or got stuck up a chimney - respond NOW using this dodgy web form"

"Google Chrome was built with security in mind from the beginning"

Yeah right, so why hasn't it got Firefox like master password functionality then? If my laptop is stolen Chrome will just merrily allow anyone who mounts the disk and copies the Google folder to login to all my online accounts. Firefox protects the login auto completion with a master password.

No doubt someone will say "well just don't allow Chrome to auto complete forms on your laptop then". Yeah, that's really useful when I have dozens of forum logins. Unfortunately there are also endless users out there who just wouldn't think that the auto complete is insecure functionality.

Come on Google, sort it out if you really have built Chrome with security in mind. This is being asked for a lot on the boards and is not particularly difficult functionality. Do your bit to help prevent fraud.

Old version of chrome or typical flamebait "convenient ignorance"?

If you are using chrome on any version of windows from 2000 onwards, this does not happen. The saved passwords and form data are unavailable under any account with a different SID, which is highly unlikely to occur between two completely separate systems (as would be in the example you just provided).

History can be transferred, along with bookmarks and such, but this is standard for almost all modern browsers.

hmmm

The test was completed in September 2010, so Chrome 6 was the current version, unless it took place after the 21st when 7 would have been current.

Google statement "Google Chrome was built with security in mind from the beginning and emphasizes protection of users from drive-by downloads and plug-in vulnerabilities". I love the way they use the phrase "with security in mind", so they were thinking about it, they did not necessarily do anything about it, but they were thinking about it.

"for example, we recently introduced a new security sandbox for Flash Player"" When the tests get re-run in 1Q11, it will be interesting to see how the newer version gets on.

"Additionally, the testing methodology isn't available in a way that can be independently verified" You could download a copy of the methodology from the website; Google it if you need to, or just follow the links. OK, so there could be more details, but the methodology is detailed on their website.

What I want to see is,

"commissioned by Microsoft"

There's the key phrase right there: "commissioned by Microsoft". I'm guessing that like every other "study" that commissioned by a corporation, the test was massaged until the results were what the client ordered. After all, corporations don't commission TESTS, they commission RESULTS. Invariably results of a very particular nature. I hate to say this, but Microsoft is no more evil here than any other corporation out there.